Report: Data Breaches Cost N.Y. Businesses $1.37B Last Year

Security breaches exposing consumers’ personal information are becoming larger and more frequent in New York, costing businesses more than $1.37 billion last year, the state attorney general’s office said.

Data breaches in the state more than tripled from 2006 to 2013, resulting in the exposure of 22.8 million personal records, according to a report released today by New York Attorney General Eric Schneiderman. Almost 5,000 breaches were reported to the office by businesses, nonprofits and government entities during that time, with hacking attacks causing the worst damage.

“Our expansive look at data breaches found that millions of New Yorkers have been exposed without their knowledge or consent,” Schneiderman said in a statement. The office will take a “collaborative approach to address the complex problems surrounding data security,” Schneiderman said.

Target Corp., the Minneapolis-based retailer, was the victim of a breach last year that allowed hackers to access payment data for 40 million of its customers’ debit and credit cards. LivingSocial Inc., the daily coupon website based in Washington, said last year that more than 50 million customers may have been affected by a cyber-attack.

The cost to businesses in New York was based on research estimating the price of each personal record compromised at $188, according to the attorney general’s report.

‘Mega Breaches’

“Mega breaches” such as the Target attack are becoming increasingly common and are generally caused by hackers, Schneiderman’s office said. Hacking accounted for more than 40 percent of security breaches, according to the office. Data can also be compromised by accidental exposure and theft by employees within a company.

Schneiderman said that “engaging industry stakeholders and security experts, as well as lawmakers” could help provide tools for better protecting data.

Breaches at Target and other retailers helped renew a call this year for a federal law requiring notification of consumers when personal data is accessed. Legislative proposals have failed to advance as lawmakers struggle to “decide what they want to achieve” with the measure, said Mallory Duncan, general counsel for the National Retail Federation.

“Sometimes they’re trying to lock up information that’s not sensitive,” Duncan said. “Some bills out there talk about sensitive financial information, but also throw in things like your name, your address and your shoe size.”

While most states have laws requiring notification, they vary from state to state, Duncan said. Schneiderman’s office has been collecting information about breaches since December 2005, after New York’s law governing notification went into effect.

The U.S. has also accused China of stealing information from American companies that would be useful to competitors, indicting five Chinese military hackers in May. China has denied wrongdoing and suspended participation in a cybersecurity working group with the U.S. in response.